- What are data brokers?
- How do data brokers obtain information?
- What types of information do data brokers collect?
- What are the different types of data brokers?
- Who uses data broker information?
- Do any laws regulate data brokers?
1. What are data brokers?
Data brokers collect and aggregate consumer information from a wide range of sources to create detailed profiles of individuals. Generally, they do not obtain this information directly from consumers. Data brokers then sell or share your personal information with others, including businesses, government agencies, other individuals, and other data brokers. In some cases, they might exchange this information under a cooperative arrangement rather than sell it. In other instances, they might provide the information at no cost, making money through advertising or referrals.
The Federal Trade Commission (FTC) has defined data brokers as “companies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers for various purposes, including verifying an individual’s identity, differentiating records, marketing products, and preventing financial fraud.” Protecting Consumer Privacy in an Era of Rapid Change at page 68.
Data brokers may obtain information from a large number of sources including:
- Government and public records such as court filings, real property and tax assessor records; court filings, recorded liens and mortgages, driver’s license records, motor vehicle records, voter registrations, telephone directories, real estate listings, birth, marriage, divorce and death records, professional license filings, hunting and fishing licenses, and Census demographic information.
- Self-reported information directly from consumers through warranty cards, sweepstakes entries, contests, and surveys. This information may be provided by consumers either online or offline.
- Social media sites such as Facebook, LinkedIn, and others may be used to gather information including consumers’ names, age, gender, location, colleges and universities attended.
- Cooperative arrangements through which companies provide information about their customers in exchange for information to enhance their existing customer lists or identify new customers.
- Purchase or licensing of information from other data brokers, retailers, and financial institutions. This may include consumers’ online activities from advertising networks, data about purchases from retailers and data from sites where consumers register or log in to obtain services.
Data brokers collect a wide range of personal information about consumers. Much of this information is demographic in nature, and may include consumer names, their addresses (and previous addresses), telephone numbers, e-mail addresses, age and gender, family status (marital status and number and ages of children), Social Security numbers, religion, data about real estate owned, political affiliation, estimated income level, educational level, and occupation.
Some data brokers collect lists of people experiencing life event triggers such as getting married, having a baby, moving, buying a home, or getting divorced.
Other data brokers collect more specialized types of information including purchasing history (including automobiles owned), social media history, hobbies and interests, medical conditions, and payment methods used (credit cards and debit cards). The Illustrative List of Data Elements and Segments (Appendix B) in the FTC’s report Data Brokers: A Call for Transparency and Accountability demonstrates the breadth of information collected by data brokers.
The FTC divides the data broker industry into three broad categories based upon the type of product that they sell: (1) marketing products, (2) risk mitigation products, and (3) people search products.
- Data brokers that sell marketing products enable their clients to create tailored marketing messages to consumers. The FTC has grouped these marketing products into direct marketing, including direct mail, telemarketing, and email marketing; online marketing, including marketing to consumers via the Internet, on mobile devices, and through cable and satellite television; and (3) marketing analytics, which attempts to predict consumers’ likely behavior.
- Risk mitigation products fall into two categories: identity verification and fraud detection. Identity verification products assist clients, such as banks in confirming the identity of an individual. Fraud detection products assist clients, such as government agencies, in verifying the reliability or truthfulness of information a person submits to them.
- People search products provide personal information about individuals. Unlike marketing and risk mitigation products, they are generally intended for use by individual consumers, although they can also be used by organizations, law enforcement agencies, private investigators, and the media. Consumers may use people search products to find lost friends or to “snoop” on individuals. These products are sometimes used to facilitate stalking or for other nefarious purposes. People search products may obtain information about consumers from government and other publicly available sources, such as social networks and telephone directories.
Data brokers sell the consumer data that they have compiled to a wide range of customers. These customers may include financial institutions, insurance companies, the hospitality industry, cable and telecommunications companies, political campaigns, retail stores, and even government entities and law enforcement agencies. In addition, many data brokers sell or exchange information with other data brokers.
As an example, the data broker Acxiom’s customers include “47 Fortune 100 clients; 12 of the top 15 credit card issuers; seven of the top 10 retail banks; eight of the top 10 telecom/media companies; seven of the top 10 retailers; 11 of the top 14 automotive manufacturers; six of the top 10 brokerage firms; three of the top 10 pharmaceutical manufacturers; five of the top 10 life/health insurance providers; nine of the top 10 property and casualty insurers; eight of the top 10 lodging companies; two of the top three gaming companies; three of the top five domestic airlines; six of the top 10 U.S. hotels.” U.S. Senate Commerce Committee, A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes (“Rockefeller Report”).
According to the FTC, there are no current federal laws requiring data brokers to maintain the privacy of consumer data unless they use that data for credit, employment, insurance, housing, or other similar purposes. Consumers generally have no federal right to know what information data brokers have compiled about them for marketing purposes. No federal law provides consumers with the right to correct inaccuracies in the data or assumptions made by data brokers.
Vermont's landmark "first in the nation" data broker law became effective on May 22, 2018. Under this law, data brokers must register with the Vermont Secretary of State, provide greater transparency about information collected about consumers, and maintain appropriate information security systems. Data brokers also are prohibited from acquiring or using personal information for stalking, committing fraud or engaging in discrimination.